Senthil Kumaran S <senthil_at_collab.net> writes:
> Karl Fogel wrote:
>> @@ -1232,6 +1244,10 @@
>> with the normal one here. */
>> else
>> #endif
>> + /* ### RFC: Should the 'use_client_certs' condition also cover the
>> + ### PKCS#11 case above? What about the "PKCS#12" referred to
>> + ### in libsvn_subr/config_file.c:svn_config_ensure()? */
>> + if (use_client_certs)
>> {
>
> I tested with a PKCS#12 client certificate, it works perfectly.
Thank you for the patch and the testing summary, Senthil. I'm looking
at Joe Orton's mail now, and seeing that we may end up resolving this
issue a completely different way, but I'm still glad to know this patch
got tested, just in case we have to use it after all.
-K
> Following is a summary of what I did to test this patch:
>
> My apache config parameters
>
> <apache-config>
> <Location /svn/repos>
> DAV svn
> SVNPath /tmp/repos
> AuthType Basic
> AuthName "TEST SVN repository"
> AuthUserFile /etc/svn-auth-file
> Require valid-user
> <IfDefine SSL>
> SSLRequireSSL
> SSLRequire %{SSL_CLIENT_S_DN_O} eq "CollabNet Inc" and
> %{SSL_CLIENT_S_DN_OU} in {"Administration"}
> </IfDefine>
> </Location>
>
> SSLCertificateFile /usr/local/ssl/CollabCA/server/certs/serverWEB.crt
> SSLCertificateKeyFile /usr/local/ssl/CollabCA/server/keys/serverWEB.key
> SSLCACertificateFile /usr/local/ssl/CollabCA/CollabCA.crt
> SSLVerifyClient optional
> SSLVerifyDepth 2
> </apache-config>
>
> First run with default servers file:
>
> <snip>
> $ svn co https://localhost/svn/repos wc
> Authentication realm: https://localhost:443
> Client certificate filename: /usr/local/ssl/CollabCA/user/certs/stylesen.p12
> Passphrase for '/usr/local/ssl/CollabCA/user/certs/stylesen.p12':
> Authentication realm: <https://localhost:443> TEST SVN repository
> Password for 'stylesen':
> A wc/file1
> A wc/file2
> Checked out revision 2.
> </snip>
>
> Second run with "ssl-use-client-certs = no" servers file:
>
> <snip>
> $ svn co https://localhost/svn/repos wc
> Authentication realm: <https://localhost:443> TEST SVN repository
> Password for 'stylesen':
> A wc/file1
> A wc/file2
> Checked out revision 2.
> </snip>
>
> NOTE: This patch is valid only if you have "SSLVerifyClient optional"
> in your apache config. If you have something lie "SSLVerifyClient
> require" it will result in following error:
>
> <snip>
> ../subversion/libsvn_ra_neon/util.c:603: (apr_err=175002)
> svn: OPTIONS of 'https://localhost/svn/repos': SSL negotiation failed:
> SSL error: sslv3 alert handshake failure (https://localhost)
> </snip>
>
> Thank You.
> --
> Senthil Kumaran S
> http://www.stylesen.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-30 00:54:13 CEST